Print access logs for rejected requests and warn about new behavior

2025-12-16 16:20:05 +01:00 · 2025-12-16 16:20:05 +01:00 · 60b19b7b81
commit 60b19b7b81
parent e0e49533ab
10 changed files with 371 additions and 147 deletions
--- a/pkg/server/routerfactory.go
+++ b/pkg/server/routerfactory.go
@ -21,9 +21,11 @@ import (

 // RouterFactory the factory of TCP/UDP routers.
 type RouterFactory struct {
-	entryPointsTCP  []string
-	entryPointsUDP  []string
-	allowACMEByPass map[string]bool
+	entryPointsTCP []string
+	entryPointsUDP []string
+
+	allowACMEByPass             map[string]bool
+	deniedEncodedPathCharacters map[string]map[string]struct{}

 	managerFactory *service.ManagerFactory

@ -64,15 +66,21 @@ func NewRouterFactory(staticConfiguration static.Configuration, managerFactory *
 		}
 	}

+	deniedEncodedPathCharacters := map[string]map[string]struct{}{}
+	for name, ep := range staticConfiguration.EntryPoints {
+		deniedEncodedPathCharacters[name] = ep.HTTP.EncodedCharacters.Map()
+	}
+
 	return &RouterFactory{
-		entryPointsTCP:  entryPointsTCP,
-		entryPointsUDP:  entryPointsUDP,
-		managerFactory:  managerFactory,
-		metricsRegistry: metricsRegistry,
-		tlsManager:      tlsManager,
-		chainBuilder:    chainBuilder,
-		pluginBuilder:   pluginBuilder,
-		allowACMEByPass: allowACMEByPass,
+		entryPointsTCP:              entryPointsTCP,
+		entryPointsUDP:              entryPointsUDP,
+		managerFactory:              managerFactory,
+		metricsRegistry:             metricsRegistry,
+		tlsManager:                  tlsManager,
+		chainBuilder:                chainBuilder,
+		pluginBuilder:               pluginBuilder,
+		allowACMEByPass:             allowACMEByPass,
+		deniedEncodedPathCharacters: deniedEncodedPathCharacters,
 	}
 }

@ -85,7 +93,7 @@ func (f *RouterFactory) CreateRouters(rtConf *runtime.Configuration) (map[string

 	middlewaresBuilder := middleware.NewBuilder(rtConf.Middlewares, serviceManager, f.pluginBuilder)

-	routerManager := router.NewManager(rtConf, serviceManager, middlewaresBuilder, f.chainBuilder, f.metricsRegistry, f.tlsManager)
+	routerManager := router.NewManager(rtConf, serviceManager, middlewaresBuilder, f.chainBuilder, f.metricsRegistry, f.tlsManager, f.deniedEncodedPathCharacters)

 	handlersNonTLS := routerManager.BuildHandlers(ctx, f.entryPointsTCP, false)
 	handlersTLS := routerManager.BuildHandlers(ctx, f.entryPointsTCP, true)